Symantec Privileged Access Management

We're starting to lab test RedHat's patches for the Meltdown vulnerability on CA PIM 12.8.1 endpoints, and they crash immediately on reboot.  RedHat is advising to not run seos.  We follow their advice, disable seos, and no problems.  Anyone else also seeing this problem?  Anyone seeing any other types of problems (either endpoint or ENTM related) as a result of Meltdown / Spectre patching?

I've reached out to our company's support team about whether there's a CA customer forum about this, and have gotten not response so far.  We've also opened a case for this, but fallout coming directly from Meltdown / Spectre patching will be widespread, and deserves coordinated and regularly updated communication from CA to their customers.  

Initial case response from RedHat:

Case Open Date   : 2018-01-05 08:21:18

Severity         : 1 (Urgent)

Problem Type     : Defect / Bug

Most recent comment: On 2018-01-05 11:07:50, Yelle, Nick commented:

"Hi,

Thank you for the confirmation. We can see that the system experiences a panic immediately after making a system call.

I noted that the "seos" driver modifies the kernel system call table and replaces some of the calls with it's own code.

I'm still looking at the core. I'll have more details for you shortly. For the time being however I'd recommend leaving 'seos' driver disabled and opening a case with this vendor.

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ WORKING NOTES \\\\\\\\\\\\\\\\\\\\\\\\\\\\\

crash> sys | grep -i -e load -e node -e rel -e date -e panic -e cpus ;

        CPUS: 2

        DATE: Thu Jan  4 13:39:06 2018

LOAD AVERAGE: 0.28, 0.08, 0.02

    NODENAME: njros1ld132

     RELEASE: 2.6.32-696.18.7.el6.x86_64

       PANIC: "BUG: unable to handle kernel NULL pointer dereference at 0000000000000038"

crash> bt

PID: 3402   TASK: ffff8802332c8040  CPU: 0   COMMAND: "seosd"

 #0 [ffff88023920bb20] machine_kexec at ffffffff8103eb3b

 #1 [ffff88023920bb80] crash_kexec at ffffffff810d2772

 #2 [ffff88023920bc50] oops_end at ffffffff81550570

 #3 [ffff88023920bc80] no_context at ffffffff810515eb

 #4 [ffff88023920bcd0] __bad_area_nosemaphore at ffffffff81051875

 #5 [ffff88023920bd20] bad_area at ffffffff8105199e

 #6 [ffff88023920bd50] __do_page_fault at ffffffff810521c3

 #7 [ffff88023920be70] do_page_fault at ffffffff815524fe

 #8 [ffff88023920bea0] page_fault at ffffffff8154f365

    [exception RIP: stub_clone+0x13]

    RIP: ffffffff81556a73  RSP: ffff88023920bf50  RFLAGS: 00010283

    RAX: 0000000000000038  RBX: 0000000000000000  RCX: 00007f494f2b19d0

    RDX: 00007f494f2b19d0  RSI: 00007f494f2b0fd0  RDI: 00000000003d0f00

    RBP: 0000000000000000   R8: 00007f494f2b1700   R9: 00007f494f2b1700

    R10: 00007f494f2b19d0  R11: 00007ffc4efbb3a8  R12: 0000000000000000

    R13: 0000000000000000  R14: 0000000000000000  R15: 0000000000000000

    ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018

 #9 [ffff88023920bf50] system_call_fastpath at ffffffff815566d6

    RIP: 000000338b2e8b91  RSP: 00007ffc4efbb3a8  RFLAGS: 00010202

    RAX: 0000000000000038  RBX: 00007f494f2b1700  RCX: ffffffff8155656a

    RDX: 00007f494f2b19d0  RSI: 00007f494f2b0fd0  RDI: 00000000003d0f00

    RBP: 0000000000000000   R8: 00007f494f2b1700   R9: 00007f494f2b1700

    R10: 00007f494f2b19d0  R11: 0000000000000202  R12: 00007ffc4efbb5b0

    R13: 00007f494f2b19c0  R14: 0000000000000000  R15: 0000000000000003

    ORIG_RAX: 0000000000000038  CS: 0033  SS: 002b

crash> dis -r ffffffff815566d6

0xffffffff815566c0 <system_call_fastpath>:     cmp    $0x137,%rax

0xffffffff815566c6 <system_call_fastpath+0x6>: ja     0xffffffff81556844 <badsys>

0xffffffff815566cc <system_call_fastpath+0xc>: mov    %r10,%rcx

0xffffffff815566cf <system_call_fastpath+0xf>: callq  *-0x7e9ffa20(,%rax,8)

0xffffffff815566d6 <system_call_fastpath+0x16>: mov   %rax,0x50(%rsp)

crash> dis -r ffffffff81556a73

0xffffffff81556a60 <stub_clone>:       mov    %gs:0xf708,%r11

0xffffffff81556a69 <stub_clone+0x9>:   mov    %r11,-0xa12ff60(%rsp)

0xffffffff81556a71 <stub_clone+0x11>:   out    %eax,$0x1e

0xffffffff81556a73 <stub_clone+0x13>:   test   %ah,(%rax,%rbp,4)              <------

    RAX: 0000000000000038

    RBP: 0000000000000000

Best,

Nick

Hi Susan,

Thank you for submitting this question in PIM communities forum. We are aware of the issue and working towards a solution. As this type of case requires a more thorough investigation and analysis it is best handled through support with an open issue.

thanks,

Carlos Solla

CA technologies

The following link provides all recent patching done for CA PIM (includes Meltdown kernel patches).

CA Privileged Identity Manager Solutions & Patches - CA Technologies 

Regards,

Jason Tejada Valiente